UK draws up fresh data protection measures for Brexit


The government today published plans to overhaul the UK's data protection regulations, in order to align UK law with corresponding measures being introduced by the European Union.

Part of the proposals will see the introduction of the "right to be forgotten", allowing UK citizens to request that companies delete their personal data from any records, as well as demanding social media sites to delete data they posted as children - something the EU is not implementing.

The Information Commissioner's Office (ICO), the UK's data protection watchdog, will also be able to hand down tougher fines against firms that mishandle personal data.

Firms which are found to be in breach of the new data protection bill will face fines of up to 17 million, or 4% of global turnover, whichever is highest. That's up from the current 500,000 cap imposed by the Data Protection Act 1998.

The Data Protection Bill will replace the current Data Protection Act that came into force in 1998, and which is considered inadequate for dealing with modern data processing.

Digital minister Matt Hancock, who was responsible for drafting today's proposals, described the new Data Protection Bill as "one of the most robust, yet dynamic, set of data laws in the world".

"It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit," he added in a statement.

Information commissioner Elizabeth Denham said: "We are pleased the government recognises the importance of data protection and its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public."

The bill mirrors proposals set out under the EU's upcoming General Data Protection Regulation(GDPR), which will apply automatically in the UK on 25 May 2018, as it will in all EU member states. However, once Brexit completes, GDPR will no longer apply to the UK, meaning it must draw up its own laws. Today's Statement of Intent is the first step in doing so.

GDPR measures include making data more portable, so it can be moved easily between providers, and ensuring companies are forced to immediately disclose details of a security breach if it involved the leak of personal data. It will include similar tough fines, of up to 20 million, and will hand EU citizens the right to be forgotten, as well as force organisations to gain clear opt-in consent to use and process people's personal information.

By enshrining like-for-like regulations into UK law, it is likely that the UK will be 'whitelisted' by the EU, allowing UK and EU businesses to move data through both areas without interruption.

"Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU," said Hancock. "We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world."

The bill aims to make it far easier for citizens to prevent companies from using their personal data without their consent, and, similar to GDPR, any companies seeking to collect information will soon be required to obtain "explicit" consent to process that data.

The scope of what constitutes personal data will also be expanded to include IP addresses, DNA and internet cookies.

Tom Thackray, innovation director at CBI, welcomed the proposals, saying they "strike the right balance in improving standards of protection while still enabling businesses to explore new products and services".

"In the modern economy, data has huge value and its innovative use leads to better services and more productive businesses. But firms know that this ability to innovate is dependent on customers having confidence that their information is well protected," added Thackray.

Javier Ruiz,policy director at digital rights campaign organisation Open Rights Group, welcomed the move to enshrine GDPR legislation into UK law, saying: "It will strengthen everyone's ability to control what data can be collected about them and how it can be used."

But he added: "These laws could be fundamentally altered after Brexit. The government must explain how these data protection rights will be guaranteed after the UK has left the EU.We are disappointed that UK ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws."

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.